These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ [[VE]]s based on Debian.

These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ [[VE]]s based on Debian.

−

{{Warning|The recommended way is '''not to follow''' the below instructions, but to use the official Debian templates, modifying those to your needs.}}

+

{{Warning|The recommended way is '''not to follow''' the below instructions, but to use the official Debian templates, modifying those to your needs. Some template + container creation helpers are recommended at page [[Deploying Debian VEs without Templates]].}}

'''Notes:'''

'''Notes:'''

Line 30:

Line 30:

The command parameters are:

The command parameters are:

−

debootstrap --arch ARCH NAME DIRECTORY URL

+

debootstrap --arch ARCH NAME DIRECTORY [URL]

Specify your architecture instead of <tt>i386</tt> if you're using something other than i386/x86. For example, for AMD64/x86_64, use <tt>amd64</tt> or for ia64, use <tt>ia64</tt>. You can use http or ftp in the URL.

Specify your architecture instead of <tt>i386</tt> if you're using something other than i386/x86. For example, for AMD64/x86_64, use <tt>amd64</tt> or for ia64, use <tt>ia64</tt>. You can use http or ftp in the URL.

If you have any packages you'd like to remove, now's the time for it. Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):

If you have any packages you'd like to remove, now's the time for it. Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):

+

dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools

dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools

=== Disable services ===

=== Disable services ===

−

Do not start some services, stick to bare minimum:

−

update-rc.d -f klogd remove

−

update-rc.d -f quotarpc remove

−

update-rc.d -f exim4 remove

−

update-rc.d -f inetd remove

−

For dependency-based boot sequence introduced with Squeeze type:

+

Do not start some services, stick to bare minimum. This step is release dependent.

+

+

==== for Jessie ====

+

+

<source lang="bash">

+

# turn off and stop some services

+

for i in bind9 quotarpc fetchmail ondemand rsync uuidd wide-dhcpv6-client; do

+

systemctl stop $i

+

systemctl disable $i

+

done

+

+

# for upstart services comment out the start on in confs

+

for i in nmbd smbd samba-ad-dc rpcbind; do

+

systemctl disable $i

+

done

+

</source>

+

+

==== for Squeeze ====

update-rc.d-insserv -f klogd remove

update-rc.d-insserv -f klogd remove

Line 182:

Line 208:

update-rc.d-insserv -f exim4 remove

update-rc.d-insserv -f exim4 remove

update-rc.d-insserv -f inetd remove

update-rc.d-insserv -f inetd remove

+

+

==== for older releases (Lenny, Sarge etc.) ====

+

+

update-rc.d -f klogd remove

+

update-rc.d -f quotarpc remove

+

update-rc.d -f exim4 remove

+

update-rc.d -f inetd remove

=== Fix SSH host keys ===

=== Fix SSH host keys ===

Line 258:

Line 291:

<source lang="bash">

<source lang="bash">

dpkg-reconfigure tzdata

dpkg-reconfigure tzdata

+

</source>

+

+

=== Create vzfifo script (for Jessie only) ===

+

+

This step is required '''for Jessie only''' (and is handled automatically by vzctl for earlier Debian releases). It ensures that <code>vzctl start --wait</code> works as expected.

+

+

<source lang="bash">

+

# Create vzfifo service

+

cat >> /lib/systemd/system/vzfifo.service << EOF

+

# This file is part of systemd.

+

#

+

# systemd is free software; you can redistribute it and/or modify it

+

# under the terms of the GNU General Public License as published by

+

# the Free Software Foundation; either version 2 of the License, or

+

# (at your option) any later version.

+

+

[Unit]

+

Description=Tell that Container is started

+

ConditionPathExists=/proc/vz

+

ConditionPathExists=!/proc/bc

+

After=multi-user.target quotaon.service quotacheck.service

+

+

[Service]

+

Type=forking

+

ExecStart=/bin/touch /.vzfifo

+

TimeoutSec=0

+

RemainAfterExit=no

+

SysVStartPriority=99

+

+

[Install]

+

WantedBy=multi-user.target

+

EOF

+

+

# Enable service

+

for service in vzfifo; do

+

systemctl enable $service > /dev/null 2>&1

+

done

</source>

</source>

=== Clean packages ===

=== Clean packages ===

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

−

apt-get --purge clean

+

apt-get clean

Now everything is done. Exit from the template and go back to the hardware node.

Now everything is done. Exit from the template and go back to the hardware node.

Latest revision as of 07:56, 5 August 2017

These are rough instructions of how to manually create basic Debian template cache, which can be used to create OpenVZ VEs based on Debian.

Warning: The recommended way is not to follow the below instructions, but to use the official Debian templates, modifying those to your needs. Some template + container creation helpers are recommended at page Deploying Debian VEs without Templates.

Notes:

You shouldn't be running as root, but as a user that is permitted to use sudo instead. It's a dangerous idea, run as root at your peril.

Anywhere you see /vz, you might really need to use /var/lib/vz instead, especially on a Debian Etch host.

Setting DNS server for VE

For the VE to be able to download updates from the Internet, we also need to specify a DNS for it:

sudo vzctl set 777 --nameserver x.x.x.x --save

Creating /dev/ptmx

The ptmx character device should normally exist, but if it doesn't, create one.

sudo mknod --mode 666 /var/lib/vz/private/777/dev/ptmx c 5 2

Starting VE

Now start the VE:

sudo vzctl start 777

Customizing the installation

A few things need to be done inside a newly created VE for it to become suitable for OpenVZ. Enter the VE to begin the configuration (note: if running a wheezy container on a squeeze hardware node, you'll need to manually install a newer version of vzctl (the one from wheezy will be fine - http://packages.debian.org/wheezy/vzctl) due to this bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=683454 - without making this change, the enter command will hang). Exporting the path is optional.

sudo vzctl enter 777
export PATH=/sbin:/usr/sbin:/bin:/usr/bin

Warning: Do not run the commands below on the hardware node, they are only to be run within the VE!

Set Debian repositories

The list shown is for wheezy, and downloading from US located servers - adjust your release name and mirror location as necessary

Get new security updates

Install some more packages

Installing packages could be an interactive process so the system might ask some questions. You can install more packages if you'd like. For example:

apt-get install ssh quota less

Set sane permissions for /root directory

chmod 700 /root

Disable root login

This will disable root login by default.

usermod -L root

Disable getty

Disable running gettys on terminals as a VE does not have any:

sed -i -e '/getty/d' /etc/inittab

Disable sync() for syslog

Turn off doing sync() on every write for syslog's log files, to improve I/O performance:

sed -i -e 's@\([[:space:]]\)\(/var/log/\)@\1-\2@' /etc/*syslog.conf

Fix /etc/mtab

Link /etc/mtab to /proc/mounts, so df and friends will work:

rm -f /etc/mtab
ln -s /proc/mounts /etc/mtab

Remove some unneeded packages

If you have any packages you'd like to remove, now's the time for it. Here's an example — note that not all of those packages are installed by default in Debian Squeeze (although they were in earlier versions):

dpkg --purge modutils ppp pppoeconf pppoe pppconfig module-init-tools

Disable services

Do not start some services, stick to bare minimum. This step is release dependent.

for older releases (Lenny, Sarge etc.)

Fix SSH host keys

This is only useful if you installed SSH. Each individual VE should have its own pair of SSH host keys. The code below will wipe out the existing SSH keys and instruct the newly-created VE to create new SSH keys on first boot.

Change timezone

You might want to change timezone if you do not live in $UTC. The following example is for Germany

ln -sf /usr/share/zoneinfo/Europe/Berlin /etc/localtime

or even better

dpkg-reconfigure tzdata

Create vzfifo script (for Jessie only)

This step is required for Jessie only (and is handled automatically by vzctl for earlier Debian releases). It ensures that vzctl start --wait works as expected.

# Create vzfifo service
cat >> /lib/systemd/system/vzfifo.service << EOF# This file is part of systemd.## systemd is free software; you can redistribute it and/or modify it# under the terms of the GNU General Public License as published by# the Free Software Foundation; either version 2 of the License, or# (at your option) any later version.[Unit]Description=Tell that Container is startedConditionPathExists=/proc/vzConditionPathExists=!/proc/bcAfter=multi-user.target quotaon.service quotacheck.service[Service]Type=forkingExecStart=/bin/touch /.vzfifoTimeoutSec=0RemainAfterExit=noSysVStartPriority=99[Install]WantedBy=multi-user.targetEOF# Enable servicefor service in vzfifo;do
systemctl enable $service > /dev/null 2>&1
done

Clean packages

After installing packages, you'll have some junk packages laying around in your cache. Since you don't want your template to have those, this command will wipe them out.

apt-get clean

Now everything is done. Exit from the template and go back to the hardware node.

exit

Preparing for and packing template cache

We don't need an IP for the VE anymore, and we definitely do not need it in template cache, so remove it: